Skip to main content

Check Your Template, And Look For Unfamiliar JavaScript Code, Following Odd Blog Behaviour

Recently, we've been seeing some odd problem reports in Blogger Help Forum: Something Is Broken, suggesting deviously hijacked blogs.
My blog is requesting me to login, using a user name and password, when I view it.
Given the URL of the window requesting the login, it's a simple matter for us to use the right forensic Internet software, and to locate a relevant snippet of code, frequently installed as part of the blog template.

Sometimes, when we reply to the blog owner with advice to remove a bit of dodgy code, we get a response suggesting disbelief. Our advice
Use the Template Editor, and remove the highlighted code snippet.
may receive a confused or skeptical response.
Where did that bit of code come from? I never installed that!
How did the code in question get installed? Discussion of one possible scenario may require thinking outside the box. Not every unrecognised blog change is being caused by memory loss by the blog owner, after an intentional accessory install or template tweak.

Looking at the subject / theme of some blogs involved in recent problem reports, we're seeing a beginning of a trend, which may indicate a new - and very subtle - blog hijacking technique. We know that Blogger blogs are subjected to brute force password guessing attacks, and we know that Blogger / Google has to consider the possibility that a brute force attack detection is made after the attack was successful.

Current blog security, and defense against blog hijacks, involves detection of hijack attempts, by Google Security. It's possible that some blogs, with some owning Blogger accounts and passwords, are more vulnerable to sophisticated password guess hacking.

When you login to Blogger or Google, you hopefully know the right account name and password, and are generally able to get logged in - after maybe one or two mistakes. You learn, soon enough, that if you have to guess your account name or current password - and you require more than a couple tries - you may have to solve yet another CAPTCHA, or request account unlock, to continue.

The ever unpopular CAPTCHA / locked account comes from Google, detecting a possible brute force attack in progress, and protecting your account and your blogs. A Blogger blog, with its content providing enough clues, combined with a simple account password that is easily guessed, may allow an experienced hacker to login to your account in one or two tries, without being detected by Google attack monitors.

It's alternately possible that some attacks are being conducted by very patient hackers, who are able to use days, and / or thousands of different computers, to conduct a throttled brute force password attack. Again, just attack without providing a detectable pattern.

This may help to explain the mysterious spam blog setups, of last year.

A hacker, able to login to a Blogger account without being detected, could install small changes in a blog template without ever being discovered. The blog owner would never discover subtle template changes, made by an easily satisfied hacker.

Finally, install latent code that does not activate immediately, as we observed during Winter 2009 / 2010, so no blogs show symptoms until the hack is installed on thousands of blogs. If one or two blog owners discover the odd code in their blogs, who would ever suspect their blog being part of a massive cloud of victims?

If you report odd behaviour by your blog, you write to Blogger Help requesting advice, and you are advised to remove a bit of dodgy code from the template - and you do not remember having installed the noted dodgy code - you may want to review your Blogger / Google password, and make the password harder to guess. Better still, start using 2-step verification for logging in to your Blogger / Google account.

>> Top


Popular posts from this blog

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.

Help! I Can't See My Blog!

I just posted to my blog, so I know that it's there. I can tell others are looking at it. But I can't see it.

Well, the good news is you don't have a blog hijack or other calamity. Your blog is not gone.

Apparently, some ISPs are blocking *, or maybe have network configuration or infrastructure problems. You can access or you can access, but you can't access, or

You can't access them directly, that is. If you can access any free, anonymous proxy servers, though, you may be able to access your blog.

Note: You can use PKBlogs with the URL pre packaged. Here is the address of this post (with gratuitous line breaks to prevent the old post sidebar alignment problem):

And an additional URL, to provide to those suffering from this problem, would be the WordPress version of this post: